With our MDT environment up and running we’ve been refining our Windows 10 build over the past couple of months, sending out pilot builds to specific areas so we’re confident in the process when it comes to large-scale deployment over summer.#

This post focuses on a few Windows 10-specific tweaks that we’ve made to the Task Sequence that may be of interest…

Thin image approach

In the past I was a fan of what could be called a Hybrid image model in as much that I’d create a “Base” Reference image in a VM, usually comprised of Windows + Office + Updates. That would get captured and become the WIM file that goes into the Task Sequence.

However with Windows 10 I’ve decided to go down the completely thin approach that’s best represented as either a sandwich or hamburger depending on your culinary preference (!) Effectively the deployment gets built from its component parts, starting from an unaltered source Windows 10 WIM file extracted from its parent ISO image.

In our case we’ve settled on Education 1709 x64 as the build to deploy, due to some useful features such as OneDrive Files on Demand and Windows Defender Exploit Prevention. Along the way we’ve also used the 1607 and 1703 builds. The advantage of using the Thin image method is that we can swap the OS out at will with two clicks, rather than having to go through a Capture process that seems to have the potential for error.

Secure Boot validation

Windows 10 1709 brought in some new security features which benefit from machines being converted to UEFI rather than BIOS mode and in some cases (Windows Defender Credential Guard) needs Secure Boot too. Seeing as we need to update the BIOS > UEFI on older machines anyway it made sense to enable Secure Boot at the same time.

The question was how to ensure that a machine is correctly configured before starting the imaging process (as converting later on is far from ideal).

The answer is to run cmd.exe to send a non-zero return code if specific requirements are met:

Task Sequence variable isUEFI is false and \ or

UEFISecureBootEnabled registry key is 0

If the machine is configured incorrectly the Task Sequence will fail before it even starts to pull down the image. To ensure you catch it early enough add the step here:

Putting the two together looks like this:

Removing the cruft

Sadly despite Microsoft giving Education our very own specific build of Windows they didn’t extend the effort into cleaning up the junk that gets pushed down with a standard Windows 10 installation. Seriously who wants Candy Crush on their business machines?!

Fortunately scripts exist to assist with cleaning up the junk shipped with the OS so it’s suitable for deployment. Now we can do this with DISM at image level but again my aim is to avoid tinkering with the Microsoft media if possible so I prefer the following PowerShell method…

Disable Refresh \ Reset

Another Windows 10-specific tweak is to disable the Refresh \ Reset menu that users can access either by using the Settings app or by holding shift while a machine reboots. In our case we don’t want users to wipe their machine clean of provisioned applications and it appears that this functionality will work even without local admin rights (!)

The solution to this one came via the EduGeek forums courtesy of ErVaDy using bcdedit commands:

Updating OneDrive Files on Demand Client

In a way that only Microsoft can Windows 1709 shipped with an old version of the OneDrive client that doesn’t work with the much-anticipated Files on Demand feature straight out the box 😦

Although the client does auto-update we didn’t want any automatic sync starting without the placeholder functionality being in place so I’ve scripted an Application in the MDT Task Sequence to take ownership of the file on the newly deployed image, copy the latest version of the client over and then set everything back as it was.

Pre-staging printer drivers

During our Windows 10 deployment we’re also migrating to a new set of Windows Print Servers, along with new GPOs to map them. However in initial testing I noted the first user to log in had a long wait whilst drivers were copied down from the server and installed.

Although subsequent logins won’t get this issue it doesn’t give a good first impression to the initial user so I wanted to find a way around it.

Because we’ve rationalised our print fleet over the past few years in a move towards MFDs I only have 3 drivers to cover the entire range of hardware. By using a script method I can then pre-stage the drivers onto the machine at image time and speed up that first logon significantly!

Again paste this into a batch file and call as an Application (use an Application step instead of Run Command Line as you want the driver files copied into the Deployment Share)

Note the use of %CD% to ensure the path to the driver file is resolved correctly!

WSUS resources

Although there’s nothing special about running Windows Updates in MDT (use the built-in Task Sequence steps) we noticed that our WSUS server was struggling and sometimes hung the “Install Updates” step of the Sequence. The WSUS console then become unresponsive on the server end too.

After further research it turns out our increasing number of machines needs more resource than the default WSUS limit of 2GB in the IIS Application Pool to handle the connections. Upon making the change below it’s back to being stable again.

Run WinSAT

An oldie-but-goodie; running the WinSAT assessment tool at the end of setup will make sure your machine is properly benchmarked and appropriate performance tuning is performed by Windows. It doesn’t take long so I thought it worth continuing with:

As far as blog titles go this one has ended up sounding more like an adventure book than a technical post! Unfortunately not that exciting but useful nonetheless.

My colleague Tristan Revell has recently been building new installer packages for our Adobe CC apps but ran into an odd-yet-irritating bug where explorer.exe would disappear during the install process and not be restarted at the end, leaving the user stranded on a blank desktop.

It didn’t happen every time either, so the behaviour looked to be rather unpredictable. Everything else on the install in terms of the Adobe side went through fine

Upon reading around the support forums it seems to be an issue Adobe have been aware of for some time but still not fixed (first post in 2013 and still being reported 5 years later!)

Whilst trying to find a solution I remembered a useful script from a while back that checked if a process was running and then took action based on the results. Looked perfect to use here so we tried adding it as a post-install action on our ZCM Bundle.

With MDT installed we initially used some basic out-the-box Task Sequences to get up and running. Deployment worked as expected but it was quite a manual process (entering the machine name, selecting Applications to install and so on).

On our old ZCM \ Windows 7 imaging project we were starting from scratch to some extent with a lot of new hardware so entering certain information manually at image time was actually a desired behaviour. Not so much so now with a fairly settled estate and ever increasing time pressures – automation is name of the game.

As such the database-driven model now makes a lot more sense as we were able to export a list of machines and roles from ZENWorks so MDT could “know” what it needs to do with a machine rather than anyone needing to tell it.

SQL Installation

Nice and simple (free too) with SQL Express as per the previous post. One thing you need to watch out for is to ensure Named Pipes are enabled in SQL Server Configuration Manager or you’ll get errors when trying to connect to the database remotely.

Managing the database

The MDT console is functional when it comes to managing the database but it’s not the ideal interface, especially if you need to make a lot of changes as MMC can be somewhat clunky at times. Although you can use the MDT Workbench remotely it’s not perhaps something you’d want to give everyone access to.

However, there is a better way 🙂

Whilst browsing across forums I came across a link to a brilliant little tool called MDT Administrator, it’s currently hosted on the soon-to-be-defunct Codeplex site. Although Microsoft say an archive will be kept running how long for is anyone’s guess so keep a copy saved somewhere safe!

It’s a nifty HTA-based front-end that provides a much slicker way to manage your database. Adding and removing Roles is much quicker in particular, which is something we use a lot (more on that later).

One additional tweak to the setup was to create a new group of MDT Database Admins who were granted write access against their SQL login. This meant we could delegate management of the computer records in the database to technicians without needing to open up access to the full Deployment Workbench interface. Perfect for on-the-go updates as machines are moved around and replaced.

Restarting deployment

Sometimes we’ll come across a machine that isn’t in the database, usually something that’s been on the shelf for a while or a laptop that’s been “off the grid” and come back for reimaging. In those cases you only find out that there’s no record after the deployment wizard has started and you get offered a randomly-generated name starting with MININT.

You can also check this in the ZTIGather.log file to see what information was found about the machine and whether any matching records were returned from the database. This step can be handy to troubleshoot unexpected behaviours that can be caused by something a bit out the ordinary e.g. DMI information entered into BIOS incorrectly by the manufacturer, which has happened to us a few times.

To save yourself an unwanted reboot after amending a record in the database hit F8 whilst at the deployment wizard (assuming you’re in PXE environment) then type in the magic command

wpeinit

Deployment will now restart with a fresh “Gather” phase and query the database again to pick up your new record; you should then see the correct name appear in the deployment wizard.

Bulk operations

Picture the situation… you’ve had a batch of 100 new laptops arrive, who gets the painful job of entering them into the database? Answer: PowerShell!

If manual data entry leaves you cold you’ll love the next set of scripts, allowing you to create a CSV of import data then run one command et voila, lots of effort and fingers saved.

The check script is rather important as without it as MDT will quite happily create duplicate records and you don’t want that! If you don’t want to do the additional checks in Active Directory you can disable those sections by commenting them out.

I then made some changes to the Import Check script so it would process a CSV file to do all the work in one go. One big change was to replace the BREAK sections with CONTINUE as I didn’t want one duplicate record error to prevent the rest of the import from running. It seems to work for me but I’d advise testing that yourself before doing the same.

Roles

Another part of the database that comes in really useful is Roles. In our case we install different software for machines deployed in a classroom to those that go in offices. On our previous ZCM imaging system I made a custom script for the technician to select the machine type but now we can automate that via the database.

Once a Role is assigned to a machine specific Applications can be assigned. That’s neat in itself but for added flexibility you can also then query the Roles during Task Sequence execution to take specific actions based on what type of machine you’re dealing with.

At the moment I’ve stuck to only using one Role per machine in the database to make life easy for myself in the Task Sequence. Reason being that way I know when I query the TS variable “Role001” it will always return the data I’m looking for i.e. is this a classroom machine or one in an office? In an ideal world I’d test with multiple machine Roles to see what order they’re returned in and split things out a bit but I’m short on time and this method works for what we need.

During the Task Sequence I can then use WMI queries to get the granularity required to deploy software for specific machines, more on that in a later post…

Outdated client on the image

In true MS fashion the 1709 ISO ships with the old OneDrive client (epic fail) which means users have an annoying wait while it updates. There’s also the possibility to start off with the wrong client and therefore syncing files down by mistake.

I was trying out an updater script that would copy over the new client but didn’t have much success in MDT. After looking more closely at the logs with CMTrace I could see it failing on the copy operation so I added a Suspend action and tried each step manually. That flagged up an access denied error.

I then realised that MDT runs its scripts as the local Administrator user rather than SYSTEM as SCCM would, therefore the script’s permissions need tweaking for MDT use:

This works like a charm! The updated client is installed during the Task Sequence and the first run as a user now begins with the 2017 client.

I’m also thinking of setting up a scheduled task on the MDT server to pull down the latest OneDrive client at regular intervals so the Task Sequence always deploys the latest version. That should do the trick until Microsoft see sense and push it out properly via WSUS.

Silently configure OneDrive using the primary Windows account

The final piece of the puzzle is to make the client log in via SSO so users have a fully configured OneDrive without any additional login prompts. I was puzzled by this not working initially as the GPO looks straightforward but it didn’t seem to do anything.

I’d read that the SSO relies on ADAL (aka modern authentication) so I initially wondered if our SSO provider hadn’t implemented that yet. That didn’t seem to make much sense as ADAL has been out for a while now so I hit Google a bit more deeply to try and find some further detail.

The key (pun not intended, honest!) is the EnableADAL.reg file that’s squirrelled away at the bottom of the page. Deploy that via GPP et voila, one perfect blue OneDrive icon without any user interaction 🙂

What next?

Having got Files on Demand working how we want with minimal cache, SSO and the latest client we can now move onto piloting it with our users. I’ve been tweaking Windows 10 GPOs today for some of the newer features such as Windows Defender Security Center, Exploit Protection etc. so the configuration is looking good enough for some early adoption!

After much anticipation and playing with Windows Insider previews OneDrive Files on Demand finally hit general release alongside Windows 10 1709 (Fall Creators Update) the other week. I’ve been giving it a test drive over the past week or two along with fellow Network tech Matt Stevens – here’s a few of our observations so far along with workarounds for a couple of teething issues.

Windows 10 build

There is one pretty important requirement to bear in mind with the new Files on Demand feature; it’s only available in build 1709 and above. That means you need to be on the semi-annual (aka CB) branch rather than the LTSB route that some people have taken.

It’s new features like Files on Demand that make the additional work of staying up-to-date worthwhile; so far we have a couple of hundred laptops running 1703 without too much fuss so 1709 should slot in fairly smoothly as we build our images layer-by-layer now using only the pure Microsoft WIM as a starting point.

We tamed (nuked) the built-in apps via a very handy Powershell script we found online (also see alternative version here) that runs during MDT deployment and the Start Menu default tiles are cleaned up via a GPO layout file. Configure your Windows Store for Business (or Education as case would have it), tweak a few more policies for Cortana, Telemetry etc. and Windows 10 becomes much more manageable even on the latest build.

Why Files on Demand?

If you don’t know what all the fuss is about check out the initial Insider announcement:

What it basically means is that we can finally integrate (huge amounts of) cloud storage with our on-premise desktops in a much tighter fashion and dispense with (unsupported) scripts or (expensive) third party tools to access OneDrive on a Windows desktop using File Explorer. It also means not having to deal with WebDAV, which always felt a horribly dated and clunky protocol to use for accessing cloud storage.

As soon as the 1709 ISO hit VLSC I grabbed it from Microsoft, slotted the new WIM into one of my MDT Task Sequences and deployed a VM to give the production version a try. It shows much promise but as always there’s some gotchas that mean nothing is ever quite straightforward.

Client version

Microsoft being Microsoft always have one shoot-self-in-foot moment whenever a new product comes out and this release was no exception. Despite having the freshly downloaded 1709 ISO I noticed that on first launch the client was showing up as 2016 and not the latest 2017 (17.3.7076.1026) that brings in Files on Demand

Similarly it also takes a while to update when deployed on a clean 1709 build due to the initial client being out-of-date. This also means if a user is a bit too quick off the mark they can end up with an old-school full sync rather than Files on Demand.

I’ve been trying to replace the client during the deployment Task Sequence but more testing is required as my initial attempt failed with “Application Microsoft OneDrive 17.3.7073.1013 returned an unexpected return code: 1”.

We force Files on Demand to be enabled as we don’t want sync cache eating up drive space on machines. We also configure our tenant ID (found via the Azure AD portal) so only Office 365 accounts can be used.

Clearing local cache (Free up space)

One important thing to remember about using Files on Demand is that when a file is either downloaded from the cloud, or freshly uploaded to it a cached copy will be kept on the local machine.

Over time (or with a large upload) this cache could grow and cause similar issues to what we were trying to avoid, especially with a shared machine and large volumes of users (pretty much the case for all our classroom machines)

At present it seems that no policies exist to force the “Free up space” option that removes the cached copies of files. However the article below suggests that using the new file attributes that have been brought in with 1709 can automate the process.

“Attrib.exe enables 2 core scenarios. “attrib -U +P /s”, makes a set of files or folders always available and “attrib +U -P /s”, makes a set of files or folders online only.”

Today I took a trip down to ExCeL London for Microsoft’s annual Future Decoded conference. As always it proved an interesting showcase of their future vision and gain technical insights into current and future projects. Here’s a few of my take-aways from the day…

Deploying Windows 10 with Autopilot

Although I’d read a bit about this a while back it was useful to see the Windows 10 Autopilot deployment process in action and the rationale behind using it. Given that we have been deploying some pilot Windows 10 devices to staff it does in theory help speed up that initial out-of-box process for devices that we predominantly see as cloud-managed and want to hand out without too much fuss.

For me this method will be applied to devices that will spend more time off the main AD network than on it and likely have a fairly simple requirements for pre-installed software. My colleagues in the office will also be pleased to hear Autopilot helps to skip the initial talking Cortana screen that’s been heard many a time so far during testing (!)

However the next part and real power of the “Modern” deployment method being showcased requires InTune in order to set up full profiles with customisable apps, settings etc. Although an MDM solution is on my wish list to get more control over roaming mobile devices it’s another software subscription bolt-on so making it an almost-necessary part of the Modern deployment experience sits a bit uneasy with me.

Another useful piece of advice was to check out Windows Analytics to help prepare for our Win10 migration project, which I need to have a proper look at tomorrow.

Microsoft Hands On labs

During the break out sessions there were plenty of Surfaces put out on the 3rd floor running “Hands On” lab training materials. These looked like they’d be perfect for students in IT courses to use for trying out Azure etc. rather than needing access to a physical lab or trial accounts in a live environment.

The content covers Windows 10, Office 365 and Azure so it’s perfect for either keeping your own skills up to date or providing students with a good few hours’ worth of e-learning material, which is interactive because you actually configure VMs rather than just watching videos.

All you need is some form of Microsoft account to log in with and away you go 🙂

here’s one I made earlier…

Security & ATP

One thing 2017 will certainly be remembered for in the tech world is the high profile ransomware attacks that have brought home the realities of modern malware threats to a much broader audience than perhaps ever before. As such the session on Advanced Threat Protection was particularly interesting.

All of this sounds great until the dreaded “l” word comes around… yup, it’s licensing. Although none of these services grow on trees there’s only so far budgets can stretch, particularly for us Education users. One thing that’s a real problem for Education in particular is that all the new cloud-first offerings are being sold solely on a per-user basis rather than the fairer per-FTE staff method for our on-prem EES-licensed products. Costs can soon spiral upwards and make some of these offerings (Azure AD Premium I’m looking at you!) almost unobtanium

A small plea to the powers that be…

If someone from Microsoft happens to end up reading this just think of it this way… in Edu we want to make use of these new solutions and embrace the tech that’s on offer to help provide the best environment we can for users.

I’m not saying we expect Microsoft to give it all away for free (although we’d be more than happy if you’re feeling generous!) but realise that we need to protect student accounts and machines as much as we do staff and paying for a 5000-seat EMS or ATP setup is just impossible. The end result, everyone loses (well perhaps not if you’re Google, who are working hard to take that Edu market if Microsoft don’t want it for some reason) so please rethink these pricing models and help make them work for non-profits as well.

Windows Mixed Reality

Towards the end of the day I went to the Mixed Reality stand to try out the new headsets, which sit in a much more affordable price range than the incredibly-cool-but-very-pricey HoloLens. We’re currently building a new campus for construction and engineering so I was interested to see if Mixed Reality could fit in there.

Having tried a Lenovo headset with its associated controllers I’m impressed! Whilst VR headsets \ Google Cardboard made that first step there still felt a disconnect in terms of interacting with the world you were immersed in but the hand-held controllers help take this a step further and bring you more into the 3D virtual environment.

The out-the-box demo of walking around a house picking up and manipulating objects showed potential for me as I can imagine students being able to design in 3D using something like Maya then showcase those objects in a virtual environment using Mixed Reality.

The idea of pinning multiple virtual screens, opening Windows apps and working through the headset is also intriguing, although I suspect it needs 4K lenses for longer periods of use than the 2K ones being fitted into the kit at present.

The demo finished off with a rather addictive space invaders-style game using the VR controllers. Anyone with a Playstation VR or similar has no doubt already experienced something similar and more but it’s good to see an attempt to bring the technology into productivity tools as well. One of the opening keynotes focused heavily on HoloLens and Mixed Reality so it does seem Microsoft are really going for this area of the market.

It’s also another reason to go down the Windows 10 (1709) route as these features are only available on the new Fall Creators Update.

Fail of the day

However Microsoft wouldn’t be Microsoft if they didn’t shoot themselves in the foot from time to time. At the first Future Decoded it was the irony of queuing at a tech event to collect a piece of aper but today’s award moves the bar up a notch… step forward the Future Decoded app!

At an event where you spend the whole day watching cutting-edge Azure cloud technology Microsoft hired an external company to make possibly the worst conference app I’ve ever used…

slow to load and required registration to view even basic content, why MS would need that data is beyond me as they spend all day scanning your badge as you move between rooms

website scraping to populate the app content, if I wanted a web page I’d open it directly

seminar sessions list that had to be manually filtered per day (looks like a GETDATE function was too difficult to implement?)

but the worst & most irritating was the “My Agenda” planner that didn’t generate a personal agenda at all and just scraped the keynote details from the website… hopeless

Maybe next year get some of your in-house people to showcase some of those cutting-edge Azure technologies via the app,but whatever you do don’t bring this one back!

In preparation for the new kit I’ve rebuilt our main streaming machine which runs vMix HD as it needed a bit of freshening up. It now runs Windows 10 LTSB with some added local storage and Google Drive File Stream for longer-term video archives (may as well make use of that unlimited Google Drive!)

The fix

Having had a look around there’s a few reports of the error on the BlackMagic forums but no solutions listed.

Having noticed the installer was an MSI I thought I’d give it a go via command line instead:

msiexec /i "Desktop Video Installer v10.9.3.msi" /qb

Quelle surprise, it installed perfectly! Not sure what the installer GUI is trying to do that makes the process fail but everything is there using the msiexec method, software and drivers all looking good.

Making IT work

Welcome to my blog, my name is Gerrard Shaw, currently working as a Network Support Officer at Havering College of Further and Higher Education.

I'll be focusing on new developments with Office 365, Windows, Moodle and server \ networking technologies. I'm a great believer in sharing best practice and contributing to the wider technical community so hope you'll find something of interest...